Hack The Box - Pilgrimage [Easy] - 20/08/2023

HTB Writeup

I started off with rustscan

$ rustscan -a 
Open 10.10.11.219:22
Open 10.10.11.219:80

Then I ran ffuf to brute force some directories.

$ ffuf -u http://10.10.11.219/FUZZ -w ~/tools/SecLists/Discovery/Web-Content/common.txt

That yielded the .git folders, I used git-dumper to dump the whole repository. Upon investigating the source code of the application, I’ve noticed a user called emily. I also discovered an executable magick and this fragmet of code:

$newname = uniqid();
exec("/var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/" . $upload->getName() . $mime . " -resize 50% /var/www/pilgrimage.htb/shrunk/" . $newname . $mime);
unlink($upload->getFullPath());

The program seems to be invoking this binary to shrink the image that is being uploaded through the website, the program itself is ImageMagick 7.1.0-49 beta we discover that by invoking it with -version.

$ ./magick -version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)

This version is vulnerable to Arbitrary Remote Leak, https://www.metabaseq.com/imagemagick-zero-days/.

Furthermore, we notice some files of interest in the source code as well, such as the database file.

$db = new PDO('sqlite:/var/db/pilgrimage');

Exploiting

I’ve used this PoC to generate my payload: https://github.com/Sybil-Scan/imagemagick-lfi-poc

I’ve crafted my malicious image to read the database file /var/db/pilgrimage and shrink it through the website, I’ve then downloaded the file and converted the bytes, opened it and after some digging I found the password for user emiliy. Then you can login with ssh.

Getting root

I’ve used linpeas.sh to enumerate the system, and I’ve noticed a process running:

root         726  0.0  0.0   6816  3072 ?        Ss   15:00   0:00 /bin/bash /usr/sbin/malwarescan.sh

I checked the permissions of the script:

emily@pilgrimage:~$ ls -la /usr/sbin/malwarescan.sh
-rwxr--r-- 1 root root 474 Jun  1 19:14 /usr/sbin/malwarescan.sh

And then I saw the script itself:

emily@pilgrimage:~$ cat /usr/sbin/malwarescan.sh
#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
	filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
	binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
		if [[ "$binout" == *"$banned"* ]]; then
			/usr/bin/rm "$filename"
			break
		fi
	done
done

This script seems to be invoking binwalk, I searched for some exploits and I found this one: https://www.exploit-db.com/exploits/51249 following the steps in the exploit, I’ve set up a listener and placed the malicious png crafted by the exploit in the /var/www/pilgrimage.htb/shrunk/ directory.

emily@pilgrimage:/tmp/syl$ cp ./binwalk_exploit.png /var/www/pilgrimage.htb/shrunk/

After a couple of seconds, my listener got a connection, which was with root privileges.

Conclusions

I wanted to investigate a little further how the magick binary includes the file that it converts and this article explains it perfectly.

https://www.metabaseq.com/imagemagick-zero-days/

The exploit targets the tEXt chunk of the PNG file, and this chunk is being used for storing key-value metadata for the PNG file. The problem comes whenever you use the “profile” string into that metadata, if that is being used as “key” the “value” is being interpreted as a filename, that then the functions FileToStringInfoFileToBlob will fetch from the system, and it will populate the “value” with the file’s contents.

And to add some speculation on top of it, this almost feels like a backdoor ;).